January 2014 Archives
January 28, 2014
Today EPIC is launching our Privacy Rights Blog. The goal of the blog is to expand on our coverage of emerging privacy and open government issues by publishing extended posts written by EPIC staff and special guests. We will post our thoughts on recent news items, legal developments, and policy issues. If you have comments, questions, or suggestions for future blog topics, please contact us at blog [at] epic [dot] org. Thanks for reading!
Earlier this month at our Capitol Hill briefing entitled, "Failing Grade: Education Records and Student Privacy," Senator Ed Markey announced plans to introduce new student privacy legislation. Senator Markey set out four principles his bill would cover: (1) student information may never be used to market products to children; (2) parents must have the right to access and amend student information held by private companies; (3) schools and private companies must safeguard student information; and (4) companies must delete student information after it is no longer needed for educational purposes. Following the Senator's remarks, I had the pleasure of participating in a lively student privacy discussion with the Department of Education's Chief Privacy Officer Kathleen Styles, Fordham Law School's Professor Joel Reidenberg, and EPIC Advisory Board members Dr. Deborah Peel and Dr. Pablo Molina. The Senator's planned legislation is a very good first step. It could, however, go further. For example, it should provide monetary damages to students if companies violate the law. The legislation should also apply to all students, not just minor students.
We here at EPIC have been ramping up our student privacy project. In December 2013, we filed an extensive complaint with the Federal Trade Commission concerning the business practices of Scholarships.com. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. The company claims that it uses this information to locate scholarships and financial aid. Scholarships.com, however, transfers the data to a business affiliate American Student Marketing, which in turn sells the data for general marketing purposes. We alleged that this is an unfair and deceptive trade practice. Our complaint also alleges that Scholarships.com's failure to use reasonable security practices is an unfair trade practice. We asked the FTC to require the company to change its business practices. Following our complaint, the company has improved security on its website. Last year, we urged Congress to restore privacy protections for student data following recent changes to the Family Educational Rights and Privacy Act. Pursuant to a Freedom of Information Act lawsuit against the Education Department, we obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents we obtained reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department.
The FBI has been testing and using automatic License Plate Readers (LPRs) for years, yet recently received Freedom of Information Act documents indicate that they still haven't fully addressed LPR's privacy implications.
As of March 2011, the Federal Bureau of Investigation has at least 1 federal agency, 10 state agencies, and 71 local agencies participating in License Plate Reader (LPR) projects that compare license plates against the National Crime Information Center (NCIC) database, a electronic clearinghouse of crime data run by the FBI. LPRs are often placed on top of law enforcement vehicles or at strategic locations like the entry points of bridges or tunnels.
In some cities, the placement of LPRs are so dense that they can effectively track a cars movement through the city. In DC, for example, there is roughly one LPR per square mile and roughly 1,800 images are captured every minute. The images captured by the LPRs are stored for various lengths of time depending on the agency that captures them. The DC police retain images for three years.
Earlier Freedom of Information Act documents obtained by EPIC show that Custom and Border Protection are using LPRs at the borders. More recent FOIA documents obtained by EPIC from the FBI indicate that despite years of use, the FBI still has not fully addressed the privacy implications.
On June 8, 2012 EPIC filed a FOIA request with the Department of Justice and its subagencies, including the FBI. EPIC's request asked for, among other things, any privacy impact assessments, privacy impact statements, and protocols performed, both past and present, for the LPR initiative.
EPIC did not receive any Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA)--two types of documents federal agencies use to assess the privacy impact of programs and technology used by the government. The PTA is specifically used to determine whether the privacy implications are great enough to warrant a more thorough assessment, which is done by performing a Privacy Impact Assessment.
The documents EPIC received show the Department of Justice's Privacy and Civil Liberties Unit considers license plates Personally Identifiable Information and that the FBI needed to do a PIA of the LPRs that would be made public.
Furthermore, the FOIA documents show that the FBI was actually working on a PIA for the LPRs in early 2012.
Nonetheless, EPIC did not receive a PIA regarding the FBI's LPR Program and none exists online as of this blog entry.
PIAs serve as a check against the encroachment on privacy by the government. They allows the public to see how new programs and technology the government implement affect their privacy and assess whether the government has done enough to mitigate the privacy risks. Despite years of use of LPRs by the FBI, they still have not informed the public how they will mitigate the privacy risks posed by license plate readers. Will they ever?
According to a recent report by the German news site Der Speigel, the NSA's elite hacking division, known as Tailored Access Operations or TAO, has worked with the CIA and FBI to intercept and install surveillance software on laptops ordered by certain targets. This process, called "interdiction," involves diverting the shipments to a secure facility, installing special software, then repackaging and sending the devices to their final destination. While Fourth Amendment protections might not apply to these packages once they leave the country, the seizure and reconfiguration of consumer products by the NSA is a significant privacy intrusion. These operations, if they were to take place within the United States, present two interesting Fourth Amendment issues that are not commonly discussed: the protection afforded to commercial packages in general, and international packages specifically.
Presumably these operations would take place within the United States prior to international departure. (If the NSA is using interdiction to infect laptops bound for domestic destinations, that would pose other significant Constitutional problems.) This raises the question: can NSA (or FBI) intercept and infiltrate these packages without a warrant? The answer depends, in part, on where and how the packages were searched and infiltrated.
Border searches can in many instances be conducted without a warrant, probable cause, or even reasonable suspicion. In United States v. Flores-Montano, 541 U.S. 149 (2004), the Supreme Court affirmed a "narrow" border search exception to the warrant requirement of the Fourth Amendment, grounded in the government's right to protect the nation's "territorial integrity." And the Ninth Circuit recently held that commercial sorting facilities, like those used by FedEx to route international packages, are the "functional equivalent" of the border for purposes of this exception. United States v. Seljan, 547 F.3d 993 (9th Cir. 2008).
But the border search exception is not unequivocal, as the Ninth Circuit recently made clear in United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013). In Cotterman, the court held that a comprehensive and intrusive "forensic examination" of laptops and other digital devices at the border requires reasonable suspicion. This is in line with the Supreme Court's recognition in Flores-Montano that certain "searches of property are so destructive," "particularly offensive," or overtly intrusive that they require particularized suspicion. The Supreme Court just dismissed the petition to review Cotterman, so the forensic examination test is now the law of the Ninth Circuit.
A seizure and subsequent infection of a laptop with sophisticated surveillance software is clearly the type of destructive and overtly intrusive action that should require particularized suspicion under this analysis. But this presents another wrinkle: the role of the commercial carrier (FedEx, UPS, etc) in the interdiction process. At least one federal appellate court has held that the "right to inspect" outlined in FedEx's terms of service agreement eliminated a sender's reasonable expectation of privacy in the contents of their package. United States v. Young, 350 F.3d 1302, 1307 (11th Cir. 2003). Alternatively, the court held that the "bailment" relationship created by the shipment authorized FedEx to consent to a search of the package. Id. at 1308. But this logic has not been broadly applied in other circuits, and there would be significant implications for everyday FedEx and UPS users if it were broadly accepted.
But even under the Eleventh Circuit standard, I think the TAO interdictions described by Der Speigel would still be considered Fourth Amendment searches. First, because even though FedEx may reserve certain rights to inspect the packages it carries, that would not extend to the type of intrusive software infiltration involved in the TAO operations. And second, because the operations are initiated by NSA, rather than the commercial carrier. In United States v. Jacobsen, 466 U.S. 109 (1984), the Supreme Court affirmed that "letters and other sealed packages are in the general class of effects in which the public at large has a legitimate expectation of privacy; warrantless searches of such effects are presumptively unreasonable." Id. at 114. The Court held that the search in Jacobsen was reasonable because the private carrier initially searched the package on their own, without the government's involvement.
Interdictions have significant Fourth Amendment implications, even if they are limited to targeted international shipments, because they go far beyond what has traditionally been allowed under the border search exception. Furthermore, they implicate the rights of not only the customers, but also the vendors of these devices.
I recently revisited "The Death of the Author," an essay about narrative voice by the poststructuralist critic Roland Barthes. In it, Barthes rejects the phenomenon often labeled "authorial intent," essentially concluding that a text speaks for itself, and that its author, without prior history or consciousness, only comes into being upon transcribing the text. Much of this theory - like much of semiotics - is a thought experiment, designed to distance the reader from the text and create a tension between the authenticity of a narrative and the limits of textual interpretation. But part of the theory, it occurred to me, might be instructional in the legal context. Perhaps "The Death of the Author" describes a process that is analogous to - or even an instantiation of - a legal canon of construction.
The EPIC Open Government Project has been wrestling with a particular issue of statutory interpretation for the last few months. The Freedom of Information Act describes the timeline by which the requester must receive the requested records. The first, located at 5 U.S.C. §552(a)(6)(A)(i), provides that an agency, upon receipt of a FOIA request, shall "determine within 20 days (excepting Saturdays, Sundays, and legal public holidays) after the receipt of any such request whether to comply with such request and shall immediately notify the person making such request of such determination and the reasons therefor." The second, located at 5 U.S.C. §552(a)(6)(E), provides that an agency shall provide "for expedited processing of requests for records (I) in cases in which the person requesting the records demonstrates a compelling need; and (II) in other cases determined by the agency."
These provisions, to our mind, were to be read along the same timeline. Upon receiving a request, an agency has 20 days in which to make a determination and respond to the requester. An agency must also provide for requests that are particularly deserving of immediate attention and create a system for expediting those requests. Where an ordinary request would result in a determination after 20 days, an expedited request would result in a determination more quickly than that. Twenty days is the outer boundary of the timeline, and some requests are treated with more urgency within that timeline.
To our bafflement, we started to encounter agencies in the course of litigation that denied that these provisions related to each other. According to their reading, § 552(a)(6)(A)(i) circumscribed an absolute timeline: 20 days in which to issue a determination. Section 552(a)(6)(E), however, described a relative timeline: an expedited request was moved to the front of the queue of FOIA requests. Once an agency had granted expedited treatment, the logic went, the request was governed by § 552(a)(6)(E), and not by § 552(a)(6)(A)(i). As long as the agency had truly moved the request to the head of the line, the agency was satisfying its legal obligation under the FOIA.
We are still struggling to understand this interpretation of the statute. How could a grant of expedited processing permit an agency to exceed the 20-day timeline prescribed for non-expedited requests? Under that theory, an agency could evade an absolute timeline altogether by granting every request for expedited processing. Surely that would eviscerate the significance of having a provision for "expedited" treatment. Congress could not have meant for the most urgent requests to become unmoored from any timeframe.
But what does "Congress" mean? If we wanted to determine Congress' intent in drafting these two provisions, whom could we ask? Does one member of Congress have the authority to speak to "Congress'" intent in drafting the FOIA? Two members? A quorum of those who contributed to the original Freedom of Information Act debates on the floor and those who participated in any of the FOIA's many amendments?
Or does, in reading a law like the FOIA, "Congress" become a separate, discrete entity? Perhaps "Congress" is something like Barthes' conception of "the Author": a narrative force generated solely by - and wholly contingent on - the text it produces. Perhaps there is no "Congress" with respect to the FOIA outside of the text of the FOIA. But if this is the case, how is either party to determine what "Congress" intended?
It occurred to me that the voice of Congressional intent might be the Court. It is, after all, "emphatically the province of the court to say what the law is." The D.C. Circuit Court of Appeals recently ruled on the significance of the word "determination" in the context of the FOIA. The requester understood "determination" to mean that the agency was required, in 20 days, to complete processing of the entire request. The agency understood "determination" to mean an acknowledgement, or a communication to the requester that the processing was underway. The Court ruled that a "determination" meant something in between: a preliminary assessment of the number of documents located, any exemptions that the agency planned to assert, and an approximate timeline for document production. This ruling ends the obscurity of that word in the text. The Court has provided a definitive exegesis, and the problem of the FOIA-Congress' intent is now a moot point.
But this illustration signals the collapse of the "The Death of the Author" metaphor with respect to the American legal system. For Barthes, an author cannot be generated from a text alone; there must also be a reader who, in engaging with the text, creates the "Author." He writes, "The reader is the space on which all the quotations that make up a writing are inscribed without any of them being lost; a text's unity lies not in its origin but in its destination." Whether or not this proposition is true of law generally (Holmes and Dworkin would likely have some choice words on the subject), it cannot be true of statutory interpretation. Were the proposition true, EPIC's understanding of Congress' intended FOIA timeline would be as valid an authentic, self-generated truth as the government's understanding would be. There would be two "Authors" - two "Congresses" - and the Court would generate a third. Instead, the Court has ruled on the text; we know now, legally, what the text says.
I'm still persuaded by the idea that "Congress" must be understood as something other than the Representatives and Senators who sponsor the bills that become the text of our laws. But in the universe of statutory interpretation, it cannot be true that the "Author" is dead. On the contrary, in a legal dispute like the FOIA dispute between EPIC and the government, the entire source of the conflict is the disconnect between reader and author. Whether law exists in the absolute or whether it only comes into being when enacted by the people it governs, the practice of law is contingent on both its origin and its destination - its author and its reader. Barthes writes, "Once the Author is removed, the claim to decipher a text becomes quite futile. To give a text an Author is to impose a limit on that text, to furnish it with a final signified, to close the writing. Such a conception suits criticism very well, the latter then allotting itself the important task of discovering the Author (or its hypostases: society, history, psyche, liberty) beneath the work: when the Author has been found, the text is 'explained'-victory to the critic."
And that derisive parenthetical describes the substance of statutory interpretation, and effectively ends the analogy.
This past year, there has been a great deal of commentary, some of it derisive, regarding Representative James Sensenbrenner's claim to have skipped relevant classified briefings and then not to have been informed of the subsequent classified programs. Ben Wittes over at Lawfare has been particularly scathing and Stewart Baker has included Sensenbrenner as a candidate for his newly-created Privy Awards, designed to honor the "Privacy Hypocrite" of the year award. Sensenbrenner ended up receiving a mere 12% of the overall vote for, placing him 4th out of 5 candidates and losing to Kathleen Sebelius.
However, upon a closer examination, this behavior is not as laughable as it might seem. In fact, it indicates an important aspect of the realities of engaging in political oversight of the highly classified intelligence community that has not yet been discussed. The desire to avoid being co-opted by the intelligence community is a powerful explanation of why a Congressional member might skip classified briefings.
Sensenbrenner explained to the Washington Post one of his primary rationales for not attending. The Post explained, "He called the practice of classified briefings a 'rope-a-dope' operation in which lawmakers are given information and then forbidden from speaking out about it. Members are not permitted to discuss information disclosed in classified briefings. 'It's the same old game they use to suck members in,' he said."
There has been very little discussion of the dilemma that being exposed to classified programs imposes on a member when they disagree with the program, wish to garner public support for change, and are unable to do so because of classification rules. The most prominent example is that of Senator Ron Wyden, who unable to get sufficient discussion of the NSA bulk meta-data collection program into the public sphere, decided to ask National Intelligence Director James Clapper, in open session a question he already knew the answer to.
As Ryan Lizza of the New Yorker describes the scene:
"Wyden leaned forward and read Alexander's comment. Then he asked, 'What I wanted to see is if you could give me a yes or no answer to the question 'Does the N.S.A. collect any type of data at all on millions or hundreds of millions of Americans?' " Clapper slouched in his chair. He touched the fingertips of his right hand to his forehead and made a fist with his left hand.
'No, sir,' he said. He gave a quick shake of his head and looked down at the table. 'It does not?' Wyden asked, with exaggerated surprise. 'Not wittingly,' Clapper replied. He started scratching his forehead and looked away from Wyden. 'There are cases where they could inadvertently perhaps collect, but not wittingly.' Wyden told me, 'The answer was obviously misleading, false.' Feinstein said, 'I was startled by the answer.'"
After the Snowden leaks, Clapper was forced to apologize for what he described as a "clearly erroneous" response and later in an interview to Andrea Mitchell, explained that he responded in "what I thought was the most truthful, or least untruthful manner by saying no." It's important to dwell on this. Clapper gave an answer that was demonstrably false. He has argued that he had a different conception of the question in his head, but either way, he gave an answer that was not true in open session and declined the opportunity to request a classified briefing (which was the appropriate response, but would have alerted the American people that the NSA does in fact collect data on "millions or hundreds of millions of Americans.") The U.S. Congress has not yet taken any steps to censure Clapper, but on December 19, 2013, Congressman Sensenbrenner and six other Congressman, sent a letter requesting that the DOJ investigate Clapper's statements and respond by January 10, 2014.
Sensenbrenner and Wyden offer two different approaches to dealing with the challenges of intelligence programs that Congress is tasked to oversee, which operate in deep secrecy, away from the gaze of the American people. One attempt, led by Senator Wyden, is to attempt to continue to draw attention to the program, to question the intelligence officials heavily, and to seek to spark a debate. However, this can be frustrated by the willingness of intelligence officials to dissemble and to engage in semantic word games where words that mean one thing to the American people have a very different meaning within the intelligence community.
The second approach is to recognize that the intelligence community often can be evasive and legalistic and after long experience with it, to simply refuse to play the game on the intelligence community's terms. According to the Post, both Senator Wyden and Senator Mark Udall alleged that misleading statements have occurred, "even during classified sessions."
There is evidence that other Congressman in addition to Sensenbrenner are refusing to play the intelligence community's game. Recently, the General Counsel for the Director for National Intelligence, Robert Litt, engaged in a defense of Clapper's testimony in a letter to the New York Times. He argued that Clapper was "surprised by the question and focused his mind on the collection of the content of American's communications. In that context, his answer was and is accurate."
According to the Washington Post, this is the fourth attempt to explain Clapper's statement and "is at odds with Clapper's own previous admission that he had given the 'least untruthful answer' he could give in response to a question about a classified program." Congressman Mike Rogers, Chairman of the House Intelligence Committee, has refused to let Litt testify before his panel since last summer, even in classified sessions. An unnamed US government official noted, "The committee has not found Bob to be the most effective witness to explain complex legal and policy issues" and his testimony before other committees has been described as "conciliatory in tone, but often tailored in legalistic fashion to obscure broader truths."
Sensenbrenner was Chairman of the House Judiciary Committee from 2001-2007, one of the key architects of the USA Patriot Act, and thus qualified to speak on his experiences with the intelligence community and the original intentions of the USA Patriot Act. As he complained, "How can we do good oversight if we don't get truthful and non-misleading testimony?" How indeed?
Consent in privacy law is dead, the victim of technological developments like Big Data and the Internet of Things--or so the new conventional wisdom goes.
At a workshop held by the Federal Trade Commission in November 2013 on connected devices (the "Internet of Things"), the alleged obsolescence of the Fair Information Practices was a common refrain. Consent was singled out for particularly harsh treatment. Before the conference, the Future of Privacy Forum released a whitepaper arguing for a reimagining of the FIPS by decreasing the role of user control in data collection. And several weeks after the workshop, IAPP's Privacy Perspectives blog featured a post by Eduardo Ustaran declaring that not only was consent "dead," but "continuing to give it a central role is dangerous." Finally, last week, another IAPP blog post echoed the same theme.
Two primary arguments against consent are advanced. First, consent is impractical: in the modern data ecosystem, data is constantly being collected, often by devices with no clear interface. As the FPF whitepaper states, "If the only way to authorize the collection of personal data were based on traditional notice and choice, individuals would be prompted to consent to data collection and use each time they bumped into new connected devices."
Second, conditioning data collection on consent would prevent many socially-beneficial uses of data, because people might say "no." As an example, the FPF whitepaper discusses United Nations Global Pulse, which has used data generated by mobile phones to track post-earthquake migration patterns in Haiti.
An initial problem with these arguments is their misconception of consent. Consent has never been conceived of as a universal prerequisite to data processing. Rather, the role of consent has been understood to vary with context. The 1973 HEW Report--the first articulation of the FIPs--embodied this understanding by tying the requirement of "informed consent" to the presence of "individually identifiable data." The Report discussed traditional conceptions of privacy centered on secrecy and control, and noted that:
Each of the [traditional definitions], however, speaks of the data subject as having a unilateral role in deciding the nature and extent of his self-disclosure. None accommodates the observation that records of personal data usually reflect and mediate relationships in which both individuals and institutions have an interest, and are usually made for purposes that are shared by institutions and individuals. In fact, it would be inconsistent with this essential characteristic of mutuality to assign the individual record subject a unilateral role in making decisions about the nature and use of his record. To the extent that people want or need to have dealings with record-keeping organizations, they must expect to share rather than monopolize control over the content and use of the records made about them.(Emphasis added).
Consent, properly understood, has a flexibility that ensures its relevance in contemporary society. One example is the treatment of individually identifiable data discussed in the HEW Report. Where personally identifiable information is involved, privacy risks are compelling; where de-identified or aggregate data is involved, privacy risks are lessened, and something less than informed consent may be appropriate. Thus, consent needs no modification to accommodate the social benefits of data. Google Flu Trends, United Nations Global Pulse, and Street Bump involve aggregate data for which the impact on privacy is low.
Moreover, the argument from impracticability assumes an uneven pattern of technological development that seems implausible. If we imagine the world of data as one of limitless possibility, why not do the same for interface design? Surely some of the ubiquitous connectivity promised by the Internet of Things could be directed to a smart phone or other device with a usable interface. Indeed, such developments are already occurring. The Internet of Things might even facilitate data "tagging" that allows for the convenient expression of privacy preferences.
It is also worth asking what role these arguments play in public discourse. Who benefits? While consumers like cool things and want their products and services to function, they are not exactly clamoring for disempowerment regarding the management of their personal data. On the other hand, I'm sure Google and the NSA love hearing about the futility of closing the data floodgates.
Of course, a closer look reveals that not even the boldest commentators truly believe in the death of consent. Ustaran's blog post ends by suggesting that the law "put the onus on those who want to exploit our information by assigning different conditions to different degrees of usage, leaving consent to the very few situations where it can be truly meaningful." The FPF whitepaper also approves of "provid[ing] appropriate controls over those practices that should be forestalled or constrained by appropriate consent." New technologies may very well require revisions to existing frameworks--indeed, several are being developed. Absent a serious alternative framework, however, bold proclamations about the demise of consent merely provide cover for the invasive practices of corporations and government entities.